[go: up one dir, main page]

CN103583060A - System and method for accessing private networks - Google Patents

System and method for accessing private networks Download PDF

Info

Publication number
CN103583060A
CN103583060A CN201280027329.6A CN201280027329A CN103583060A CN 103583060 A CN103583060 A CN 103583060A CN 201280027329 A CN201280027329 A CN 201280027329A CN 103583060 A CN103583060 A CN 103583060A
Authority
CN
China
Prior art keywords
mobile device
response
inquiry
certificate server
private network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201280027329.6A
Other languages
Chinese (zh)
Inventor
安东尼·罗萨蒂
斯科特·亚历山大·万斯通
马克·E·佩岑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Certicom Corp
BlackBerry Ltd
Original Assignee
Certicom Corp
BlackBerry Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certicom Corp, BlackBerry Ltd filed Critical Certicom Corp
Publication of CN103583060A publication Critical patent/CN103583060A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A system and method are provided for using a mobile device to authenticate access to a private network. The mobile device may operate to receive a challenge from an authentication server, the challenge having being generated according to a request to access a private network; obtain a private value; use the private value, the challenge, and a private key to generate a response to the challenge; and send the response to the authentication server. An authentication server may operate to generate a challenge; send the challenge to a mobile device; receive a response from the mobile device, the response having been generated by the mobile device using a private value, the challenge, and a private key; verify the response; and confirm verification of the response with a VPN gateway to permit a computing device to access a private network.

Description

System and method for accessing private network
The application requires the U.S. Provisional Patent Application No.61/493 submitting on June 3rd, 2011,272 priority, and the content of this U.S. Provisional Patent Application mode is by reference incorporated to herein.
Technical field
Below relate to the system and method for accessing private network.
Background technology
Two-factor authentication scheme refers to the cipher authentication scheme of something (" something that you have ") that utilization is just having at authentic entity and the known something (" something that you know ") of this entity.For example, user can have the client application on safety means or personal device, and knows privately owned value or individual's value such as personal identification number (PIN) etc.Safety means can comprise for example token or other physical assemblies of display scrolling value.Can also be by the client application display scrolling value of for example moving on smart phone.RSA Security Inc. provides
Figure BDA0000429238840000011
system is the example that adopts the commercial system of two-factor authentication scheme.Two-factor authentication scheme is widely used for making the user can long-range accessing private network especially, for example, the Virtual Private Network being held by enterprise (VPN), includes but not limited to: the VPN of internet protocol-based safety (IPSec) and Transport Layer Security (TLS).For certified, the currency that user inputs PIN and shown by token.Except having token and PIN the two, conventionally also need two steps to input essential value.In addition, roll value is refreshed conventionally after relatively short scheduled time amount, and therefore, the time quantum that can be used for inputting the currency that token shows is restricted, and easily input error or the step that dissimilates.
Typical two-factor authentication scheme needs the certificate server in enterprise for example, and wishes that each user of access VPN carries token and is given or otherwise selects password, PIN or other privately owned values.When user starts VPN client on his/her computer, set up safe lane with vpn gateway, this vpn gateway mandate or refusal access VPN.Then, user is addressed inquires on computers, with except inputting its PIN, also inputs the current value showing of token (that is, two factors).Then, two factors of user's input are sent to certificate server to verify.Once be verified, vpn gateway is just set up safety and is connected between user's computer and VPN.
For authentication of users, the state of the roll value that the PIN that certificate server maintenance is associated with this user and token show.This not only needs to store sensitive data, that is, and and PIN, but also need to safeguard exactly each user's who is registered to access VPN roll value.Except potential storage burden, may the become state of the token that shows with safety means of the state of the token at certificate server place is asynchronous, in this case, may need re-synchronization.
Accompanying drawing explanation
The mode only illustrating by way of example now with reference to accompanying drawing is described embodiment, in the accompanying drawings:
Fig. 1 carrys out the schematic diagram of the communication system of accessing private network for the mobile device with accessing by public network.
Fig. 2 carrys out the schematic diagram of the communication system of accessing private network for the mobile device with not accessing by public network.
Fig. 3 shows the block diagram of the exemplary configuration of mobile device.
Fig. 4 shows the block diagram of the exemplary configuration of the computing equipment with VPN client.
Fig. 5 shows the block diagram of the exemplary configuration of certificate server.
Fig. 6 is the screenshot capture of the exemplary user interface (UI) for obtaining PIN.
Fig. 7 shows and can carry out to authenticate according to the communication system shown in Fig. 1 the flow chart of exemplary collection that can executable operations to the computer of the access of private network.
Fig. 8 shows and can carry out to authenticate according to the communication system shown in Fig. 2 the flow chart of exemplary collection that can executable operations to the computer of the access of private network.
Fig. 9 carrys out the schematic diagram of the communication system of accessing private network with the mobile device that can access by public network, this mobile device comprises crypto module and VPN client.
Figure 10 shows and comprises the two the block diagram of exemplary configuration of mobile device of crypto module and VPN client.
Figure 11 shows and can carry out to authenticate according to the communication system shown in Figure 10 the flow chart of exemplary collection that can executable operations to the computer of the access of private network.
Figure 12 shows and data item is pushed to the system schematic of the environment of mobile device from host computer system, and the router in this environment or this host computer system comprise Register.
Figure 13 is the block diagram of the exemplary configuration of mobile device.
Embodiment
Have realized that, except storing PIN and maintenance, be registered the roll value with each user of accessing private network, the certificate server using in the two-factor authentication scheme of all two-factor authentication scheme as described above etc. also may easily be subject to security attack.Can obtain and not only can access personal information and/or the private information by authentication server stores to the opponent of the access of certificate server, and can directly or by the seed obtaining for generation of roll value access roll value.In other words, if certificate server is endangered, the fail safe of two-factor authentication scheme may reduce or lose.
In order to solve the potential safety problem relevant with traditional two-factor authentication scheme, can be for for example, from (such as the mobile communication equipment of smart phone or flat computer etc., mobile communication equipment itself or such as on another computing equipment of personal computer (PC), laptop computer, flat computer etc.) private network client after request, by initiating challenge/response agreement and making to address inquires to, send to mobile communication equipment and carry out accessing private network.Then, can by least one privately owned value of addressing inquires to, being provided by mobile device and from the PIN of input acquisition, produce the response to addressing inquires to by mobile communication equipment.For example, can to addressing inquires to, sign with private cipher key and PIN.Can recognize, can use multiple challenge/response agreement, comprise: monolateral authentication protocol, wherein, only mobile device is authenticated, and bidirectional identification protocol, wherein, to mobile device and certificate server, the two authenticates.
To recognize, in order to make explanation simplification and clear, in the situation that thinking fit, repeat reference numerals is to indicate corresponding or similar element in the accompanying drawings.In addition, a large amount of details have been set forth, so that the complete understanding to example described herein to be provided.Yet, those skilled in the art will appreciate that, can in the situation that there is no these details, realize example described herein.In other examples, do not describe known method, process and assembly in detail, to can not make example described herein fuzzy.In addition, this description should not be considered to limit the scope of example described herein.
For the sake of clarity, in the following discussion, for succinct object, conventionally mobile communication equipment can be called to " mobile device ".The example of applicable mobile device can be including, but not limited to: cell phone, smart phone, wireless organizer, beep-pager, personal digital assistant, computer, laptop computer, hand-held or other Wireless Telecom Equipments, have net book computer, portable game device, the flat computer of wireless capability or have and process and any other portable electric appts of communication capacity.
Fig. 1 shows the example for the private network 2 of the long-range access of vpn gateway 6 such as the enterprise network of access on the public network 8 by such as the Internet etc. etc. such as the computing equipment 4 of PC, laptop computer, panel computer etc.In this example, mobile device 10 accesses for authenticating VPN by certified server 12 inquiries.Assembly in Public Key Infrastructure (PKI) 14 (certificate authority in PKI14 (CA) 16 in this example) to mobile device 10 pre-configured privately owned/public keys is to (a, A).Can recognize, key be to can be long-term, and can be changed periodically.CA16 is also pre-configured to have the copy of the public keys A being associated with each mobile device 10 being registered with accessing private network 2 to certificate server 12.Mobile device 10 comprises or with can other mode access pin (crypto) modules 18, and crypto module 18 can comprise and is configured to carry out software, hardware or its combination such as the Password Operations of digital signature generation, digital signature authentication, data encryption, data deciphering etc.Computing equipment 4 comprises VPN client 20, VPN client 20 for by public network 8 and vpn gateway 6 communicate between it, to set up safe lane, initiate the access to private network 2.
Can recognize, any one or more in PKI14, certificate server 12 and VPN client 6 can be the assemblies that comprises the business system of private network 2.Similarly, although PKI14, certificate server 12 and VPN client 6 are illustrated individually in Fig. 1, this configuration is the object for illustrating only.For example, certificate server 12 can be the assembly of PKI14, and certificate server 12 and VPN6 can be held etc. by identical server or computing basic facility.Can also recognize, the public network 8 shown in Fig. 1 can represent the network of any type, comprising: wireless network 8 " (also referring to Fig. 9) or cable network 8 ' (also referring to Fig. 2).Can also and utilize each interface (for example, wide area network (WAN), local area network (LAN) (LAN), individual territory net (PAN), direct wired or wireless link) that the access to public network 8 is provided according to each agreement.
Fig. 1 shows for using the example of mobile device 10 authentications to the method for the access of private network.In the stage 1, on mobile device 10 pre-configured privately owned/public keys is to (a, A).In Fig. 1, can find out, this can for example complete by public network 8 according to cryptographic key host-host protocol, or for example directly execution (that is the stage 1 ', being shown in broken lines) outside band of the information technology in enterprise (IT) manager during fabrication.In the stage 2, to certificate server 12 provide mobile device 10 pre-configured in the stage 1 privately owned/public keys is to the public keys A in (a, A).Can recognize, existence can be for providing the several different methods of public keys to certificate server 12.For example, can provide the digital certificate of being issued by CA16.Can recognize, CA16 can be the PKI of enterprise (for example, part PKI14), or externally produce.Alternatively, can when asking accessing private network 2 first, user provide the public keys of authentication to certificate server 12.Can also recognize, because certificate server 12 public keys of storing mobile equipment 10 only, even if therefore certificate server 12 is endangered, also only has public information to be revealed.In addition,, in order to remove user from VPN and private network 2, can from certificate server 12, remove simply this user's public keys A i.In this way, after this user who has deleted can not be verified, and this is because certificate server 12 no longer has this public keys.
In the stage 3 shown in Fig. 1, computing equipment 4 utilizes VPN client 20 by for example communicating, with (with vpn gateway 6 on the public network 8 such as the Internet etc., use Diffie-Hellman IKE) set up safe lane, ask accessing private network 2.After receiving this request, vpn gateway 6 in the stage 4 by communicating to initiate the authentication of the user to being associated with certificate server 12.Certificate server 12 is initiated challenge/response agreement, and in the stage 5, cryptographic challenge is sent to the mobile device 10 being associated with the user who asks in the stage 3.As discussed above, can use various challenge/response agreements.In this example, inquiry can be the random number being produced by certificate server 12 or a certain other message that are not vulnerable to Replay Attack.In other examples, can carry out mutual authentication, wherein, mobile device 10 and certificate server 12 are all contributed random number and timestamp.For example, can use security socket layer (SSL) agreement of supporting the mutual authentication based on public keys.
For the inquiry receiving from certificate server 12 is responded, in this example, the crypto module 18 on mobile device 10 for example by pointing out user and obtaining PIN30 via the input that UI accepts PIN30 from user on display.Can recognize, PIN30 can be identical for accessing the value of mobile device 10 with when mobile device 10 is " locked ", or can be different values.The PIN30 of crypto module 18 use inputs and the privately owned value such as private cipher key a etc. that is stored in home on mobile device 10 are signed to addressing inquires to, and return to response in the stage 6, and this response comprises the inquiry of signature.Can recognize, multiple cryptography scheme can be ask and sign for confrontation, and the signature comprising in auth response.For example, elliptic curve cipher (ECC) scheme such as ECDSA (ECDSA), elliptic curve Pintsov-Vanstone (ECPV) or elliptic curve Diffie-Hellman (ECDH) signature mechanism etc. can provide high security for the signature size with relatively little.Signature can comprise extraneous information (for example, such as the distinctive value of transaction of timestamp etc.), to prevent Replay Attack.Certificate server 12 receives response, and the signature in checking inquiry.If can certifying signature, certificate server 12 be confirmed checking in the stage 7 to vpn gateway 6.Then, vpn gateway 6 allows accessing private network 2 in the stage 8.
Can notice, the data flow shown in the stage shown in Fig. 1 has been simplified user's experience, and this is that, user does not need to input as in the dual factors method above the extra roll value showing on token because user only need to input PIN30.Instead, crypto module 18 is used the value that only can use mobile device 10 (for example, to be stored in private cipher key on mobile device 10 and a) to provide another authentication factor.In other words, by making certificate server 12 send and address inquires to mobile device 10, mobile device 10 is realized the just simple confirmation of the connection of request in the stage 3 by input PIN30.It is further noted that therefore, when this authentication of needs, mobile device 10 more may be together with user because user becomes and more and more depends on mobile device 10.This has been avoided carrying the needs of extra token or other safety means, and user can be detected whether attack (for example, whether user is current receive authentication challenge while not tried accessing private network 2).
For similar two-factor authentication can be proceeded at mobile device 10 outside coverage or in the time of otherwise can not accessing public network 8, can use all as shown in Figure 2 configuration etc. configuration.In the example shown in Fig. 2, suppose previously the stage 1 pre-configured privately owned/public keys to (a, A), and to certificate server 12, provide public keys in the stage 2.With the example class shown in Fig. 1 seemingly, request that the VPN client 20 in the stage 3 from computing equipment 4 is sent is initiated vpn gateway 6 in stage 4 couples of users' that are associated authentication.Via wireless network 8 " to mobile device 10, send and address inquires to, but send and address inquires to vpn gateway 6 in the stage 5, to be routed to the crypto module 18 on mobile device by VPN client 20.Can recognize, short-distance wireless between mobile device 10 and computing equipment 4 or directly wired connection (for example, USB, bluetooth, near-field communication (NFC) etc.) can trigger VPN client 20 request vpn gateways 6 obtain to address inquires to rather than make address inquires to by wireless network 8 " send to mobile device 10.In this way, certificate server 12 needs to attempt by wireless network 8 really " transmit and address inquires to, only in order to determine that mobile device is beyond coverage.Sign, value or bit the message sending to vpn gateway 6 from VPN client 20 can be used to indicate and will come by the safe lane between VPN client 20 and vpn gateway 6 route to address inquires to and response.
After receiving inquiry, crypto module 18 on mobile device 10 in the stage 6 for example to sign and to produce response addressing inquires to the similar mode of mode as described above, and send response so that VPN client 20 can, by sending response with the safe lane of vpn gateway 6 foundation, be returned to response to certificate server 12 by the VPN client 20 on computing equipment 4.Vpn gateway 6 is routed to certificate server 12 by response, so that certificate server 12 can be used the public keys A being associated with user ithe signature that checking is addressed inquires to.Then, certificate server 12 can return to about empirical tests in the stage 7 confirmation (or the message of signature has been refused in indication) of signature to vpn gateway 6.Suppose that signature is successfully verified, vpn gateway 6 allows accessing private network 2 in the stage 8.
The exemplary configuration of mobile device 10 has been shown in Fig. 3.Crypto module 18 comprises or at least a portion that otherwise can incoming memory 22.Memory 22 storage public keys A in this example, and have for storing the safety zone 23 of private cipher key a.Therefore, crypto module 18 can access private cipher key a and public keys A to use these keys to carry out Password Operations.Mobile device 10 in this example comprises display module 28, and display module 28 makes crypto module 18 can ask to input PIN30 by for example UI.Can recognize, can carry out PIN request by various other modes.For example, mobile device 10 can be used the non-visual notification such as the indication request input PIN30 of specific prompt tone, tone or flash of light etc.Mobile device 10 also comprises one or more I/O (I/O) module 32 (for convenience of explanation, figure 3 illustrates an I/O module 32).I/O module 32 shown in Fig. 3 can represent any input mechanism such as keyboard, shortcut, FPDP, accumulator groove etc.Therefore mobile device 10 in exemplary configuration shown in Fig. 3 also comprises communication subsystem 24, and communication subsystem 24 is for accessing public network 8 and for for example wirelessly transmitting and receive data by public network 8.Mobile device 10 can also comprise short-range communication module 26, and short-range communication module 26 makes mobile device 10 set up short distance with another equipment to be connected.For example, short-range communication module 26 can be for setting up and utilizing bluetooth to be connected.Can recognize, short distance wired connection (for example, USB connects) also can be represented by short-range communication module 26.Therefore, I/O module 32 or short-range communication module 26 can usually represent can to realize on mobile device 10 and the direct wired of mobile device 10 or any module that short-distance wireless is connected.
In Fig. 3, can find out, can for example, according to (passing through communication subsystem 24, aloft, the communication of carrying out as shown in fig. 1) is carried out or can in the stage 1, be obtained privately owned/public keys to (a, A) by being for example connected to carry out with the I/O module 32 of mobile device 10 direct.Similarly, (for example can use communication subsystem 24, aloft, as shown in fig. 1) implement or for example can use, with the short distance of computing equipment 4 or DCL (, as shown in Figure 2) and be implemented in the stage 5 and receive and address inquires to and provide response in the stage 6.
The exemplary configuration of the computing equipment 4 with VPN client 20 has been shown in Fig. 4.In this example, computing equipment 4 comprises communication subsystem 34, communication subsystem 34 for accessing public network 8 so that VPN client 20 can be asked accessing private network 2 in the stage 3.Communication subsystem 34 can also be addressed inquires to and transmission response in the stage 6 for receiving in the stage 5, for example, and as shown in Figure 2 shown in example.Computing equipment 4 can also comprise short-range communication module 36, and short-range communication module 36 is for the inquiry receiving in stage 5 is routed to mobile device 10, and for being routed to vpn gateway 6 in the response that the stage 6 receives from mobile device 10.In Fig. 4, can find out, VPN client 20 can also be passed through I/O module 40 (for example, direct wired connection) and come inquiry and response in route stage 5 and 6.Computing equipment 38 can also comprise display 38, and display 38 is for example for making user can pass through UI accessing private network 2.
Figure 5 illustrates the exemplary configuration of certificate server 12.Certificate server 12 in this example comprises crypto module 42, crypto module 42 is configured to or otherwise for for example, producing by (, using tandom number generator (RNG) 43) to address inquires to and use the public keys being associated with the user who asks accessing private network 2 to carry out signature verification operations, at least participates in challenge/response agreement.Certificate server 12 also comprises public keys memory device 44, and public keys memory device 44 is for storing the public keys A being associated with each user who is registered to use VPN client 20 accessing private networks 2 i.Certificate server 12 also comprises communication subsystem 46, communication subsystem 46 for mobile device 10 (for example, aloft, as shown in fig. 1) or vpn gateway 6 (for example, as shown in Figure 2) communicate to send and address inquires to and receive response.Communication subsystem 46 can also be initiated request for receiving authentication in the stage 4 from vpn gateway 6, and returns the confirmation of checking or the refusal to response to vpn gateway 6 in the stage 7.Can recognize, for convenience of explanation, figure 5 illustrates single communication subsystem 46, can use more than one subsystem.For example, transceiver can be for sending and address inquires to mobile device 10, and receive response from mobile device 10, and use the Ethernet of different transceivers or other wired connections can be for communicating with vpn gateway 6.
Figure 6 illustrates the example of the screenshot capture of the VPN authentication UI50 that the display 48 by mobile device 10 shows.Show that authentication UI50 inputs PIN30 with request in input frame 52.Can recognize, the UI50 shown in Fig. 6 can be after receiving inquiry automatically shows, or can use another mechanism such as the link in message etc. to start.For example, (for example can use Email, Short Message Service (SMS) message, equity (P2P) message, message based on PIN) or the communication of any other form send inquiry, when the link in selecting message or option, be presented at the UI50 shown in Fig. 6.
Turn to now Fig. 7, show and can carry out to authenticate according to the communication system in Fig. 1 the example of set that can executable operations to the computer of the access of private network.60, the VPN client 20 request accessing private networks 2 of computing equipment 4.Vpn gateway 6 receives request, and except setting up safe lane with VPN client 20, the also authentication to the user who is associated with request in 62 initiations.After the request of initiating authentication being detected, certificate server 12 is initiated challenge/response agreement by address inquires to (for example,, by producing random number) in 64 generations.Then, certificate server 12 sends to inquiry mobile device 10 aloft, and mobile device 10 is addressed inquires in 68 receptions.For example, as discussed above, message or other packets can be for being sent to inquiry mobile device 10.
When 68 receive inquiry after, mobile device 10 70 for example by obtaining PIN30 via authentication UI50 request input PIN30 from user.Then, crypto module 18 can and produce response at the PIN30 of 70 acquisitions at 72 use inquiries, private cipher key a.For example, response can comprise the signature of inquiry, wherein, with private cipher key a and PIN30, to addressing inquires to, signs, and addresses inquires to the extraneous information that can comprise such as timestamp etc.Can also be such situation, that is, PIN30 be only for making the mobile device 10 can access pin module, rather than makes it as a part for the message of signature.The message M that will sign in this example can comprise inquiry, timestamp and may comprise PIN30.For example, by using ECDSA signature scheme, crypto module 18 carries out following operation: produce random integers k; Calculate R=kG=(x, y), wherein, G produces point; Calculate r=x (mod n); And calculating s=k -1{ h (M)+ra} (mod n), wherein, h is hash function.The signature that will provide to inquiry or provide as inquiry comprises two components (r, s).
Then, 74, response is sent to certificate server 12.Certificate server 12 responds in 76 receptions, and by the crypto module 42 on certificate server 12 in 78 auth responses.For example, can verify the signature in inquiry by proof scheme, this proof scheme and the signature scheme being used by the crypto module 18 on mobile device 10 complementary (for example, ECDSA proof scheme).If can be in 78 auth responses, then certificate server 12 can confirm checking to vpn gateway 6 80.When 82 receive this confirmation after, vpn gateway 6 is used user's accessing private network 2 of mobile devices 10 authentications in 84 permissions.Then, VPN client 20 can be at 86 accessing private networks 2, and this access can continue until at 88 and 90 place's conversation ends.
Fig. 8 provides and can carry out to authenticate according to the communication system shown in Fig. 2 the example of set that can executable operations to the computer of the access of private network 2.92, the VPN client 20 request accessing private networks 2 of computing equipment 4.Vpn gateway 6 receives request, and except setting up safe lane with VPN client 20, the also authentication to the user who is associated with request in 94 initiations.After the request of initiating authentication being detected, certificate server 12 is initiated challenge/response agreement by address inquires to (for example,, by producing random number) in 96 generations.Then, certificate server 12 sends to vpn gateway 6 98 by inquiry, so that vpn gateway 6 sends to inquiry 100 the VPN client 20 on computing equipment 4.Computing equipment 4 is 102 via the crypto module 18 inquiry being sent on mobile device 10 that is connected of setting up with mobile device 10, and mobile device 10 is addressed inquires in 104 receptions.
When 104 receive inquiry after, mobile device 10 106 for example by obtaining PIN30 via authentication UI50 request input PIN30 from user, as discussed above.Then, crypto module 18 can and produce response at the PIN30 of 106 acquisitions at 108 use inquiries, private cipher key a.For example, response can comprise the signature in inquiry, wherein, with private cipher key a and PIN30, to addressing inquires to, signs, and addresses inquires to the extraneous information that can comprise such as timestamp etc.Then, 110, response is sent to the VPN client 20 on computing equipment 4, so that VPN client 20 sends to vpn gateway 6 112 by response.Then, vpn gateway 6 sends to certificate server 12 114 by response.By certificate server 12, in 116 receptions, responded, and by the crypto module 42 on certificate server 12 in 118 auth responses.For example, can verify the signature in inquiry by proof scheme, this proof scheme is complementary with the signature scheme being used by the crypto module 18 on mobile device 10.If can be in 118 auth responses, then certificate server 12 can confirm checking to vpn gateway 6 120.124 receive this confirmation after, the access of the user that vpn gateway 6 is used mobile devices 10 authentications in 126 permissions to private network 2.Then, VPN client 20 can be at 128 accessing private networks 2, and this access can continue until at 130 and 132 place's conversation ends.
Mobile computing device 10 ' be shown for authenticated user in Fig. 9 and used another examples of VPN client 20 accessing private networks 2.Can recognize, the example shown in Fig. 9 is particularly suitable for also for the equipment with wireless capability to the long-range access of private network 2 is provided, for example, and flat computer.In Fig. 9, can find out, mobile computing device 10 ' comprises crypto module 18 and VPN client 20, and shown in exemplary scenario in, mobile computing device 10 ' can be by public wireless network 8 " communicate.As discussed above, can be in stage 1 by wireless network 8 " pre-configured privately owned/public keys is to (a, A).With mode is similar as discussed above, can for example use CA16 that public keys is offered to certificate server 12.VPN client 20 on mobile computing device 10 ' was asked by wireless network 8 by setting up safe lane with vpn gateway 6 in the stage 3 " accessing private network 2.Then, with about the similar mode of mode that Fig. 1 was discussed, proceed the stage 4,5,6,7 and 8 above, wherein, the devices exchange identical with the equipment of VPN client 20 with the request of sending accessing private network 2 addressed inquires to and response.
Figure 10 illustrates and there is the two the example of configuration of mobile computing device 10 ' of crypto module 18 and VPN client 20.In the example shown in Figure 10, show communication subsystem 24, communication subsystem 24 is for by wireless network 8 " communicate with vpn gateway 6, certificate server 12 and CA16.Yet, can recognize, can use more than one communication subsystem 24.With the example class shown in Fig. 3 seemingly, crypto module 18 comprises or at least a portion that otherwise can incoming memory 22.Memory 22 storage public keys A in this example, and have for storing the safety zone 23 of private cipher key a.Therefore, crypto module 18 can access private cipher key a and public keys A, to use these keys to carry out Password Operations.Mobile computing device 10 ' in this example comprises display module 28, and display module 28 makes crypto module 18 ask to input PIN30 by the PIN UI54 that for example offers display module 28 by VPN client 20.Mobile computing device 10 ' also comprises one or more I/O modules 32 (for convenience of explanation, figure 10 illustrates an I/O module 32).Similar with the configuration shown in Fig. 3, the I/O module 32 shown in Figure 10 can represent any input mechanism such as keyboard, shortcut, FPDP, accumulator groove etc.In some instances, I/O module 32 can also on mobile device 10 pre-configured privately owned/public keys pair.
Figure 11 provides and can carry out to authenticate according to the communication system in Figure 10 the example of set that can executable operations to the computer of the access of private network.Can recognize, the operation shown in Figure 11 is identical with the operation shown in Fig. 7, therefore does not need to be repeated.Yet, can notice, in this example, the operation that crypto module 18 and VPN client 20 are carried out is to be carried out by identical mobile computing device 10 ', as shown in Figure 11.
In another example, mobile device 10 can for example, be used in the system of the pushed information of mobile device 10 route form of ownerships from (, in enterprise or in privately owned environment 220) host computer system 250 being configured to constantly.An example of this system is described now with reference to Figure 12.
Figure 12 shows and via wireless router 200, user data item (for example, message A or C) is redirected to the exemplary system diagram of user's mobile device 10 from incorporated business's computer system (host computer system) 250.Wireless router 200 provides wireless connecting function, this be because it for abstract most of wireless networks 8 " complexity, and realize to support to push data into the required feature of mobile device 10.Although not shown, a plurality of mobile devices can access the data from host computer system 250.In this example, message A in Figure 12 represents that desktop computer (not shown) from host computer system 250 for example to enterprise network (for example, the inside story that the server computer of any amount LAN) sends, wherein, enterprise network can comprise database server, Calendar server, e-mail server, voice-mail server etc. conventionally.
In Figure 12, can find out, except vpn gateway 6, CA16 and certificate server 16, privately owned or corporate environment 220 can also comprise host computer system 250.Can recognize, PKI14 or other existing PKI14 of the enterprise-wide that can use in host computer system 250 comprise CA16.
Message C in Figure 12 from the transmit leg that is not directly connected to host computer system 250 (for example represents, user's mobile device 10, a certain other users' mobile device (not shown) or be connected to public network or any user of private network 224 (for example, the Internet)) external message.Message C can be Email, voice mail, instant message (IM), calendar information, database update, page refreshment, or even can represent the command messages from user's mobile device 10 to host computer system 250.Except typical communication link, host computer system 250 can also comprise that the hardware and software being associated with incorporated business computer network system, one or more wireless mobile agency, TCP/IP are connected, (for example, the data storage device for Email can be such as Microsoft in the set of data storage device
Figure BDA0000429238840000131
server or Lotus
Figure BDA0000429238840000132
the ready-made mail server of server etc.), it is all within corporate firewall or below.
Mobile device 10 can be configured to according to each wireless network 8 of using " needs, via wireless link at wireless network 8 " in communicate.Illustrative examples as the operation of the wireless router 200 shown in Figure 12, consideration is sent to the data item A (now, the data item A of encapsulation is known as " data item (A) ") of mobile device 10 in outer package B by Reseal and the application service provider from host computer system 250 (ASP).In ASP, be and computer program like wireless mobile proxy class, any computer of the data item sending request to mobile device 10 from data storage device in the environment of ASP moves.By the fire compartment wall (not shown) route of network 224 and the protection wireless router 200 by wireless router, take the data item (A) that travelling carriage is destination.
Although above host computer system 250 is described as using in incorporated business's network environment, but this is only that the example of the host services of a type of the message based on pushing is provided to hand-held wireless device when data arrive host computer system 250, wherein, hand-held wireless device can be at mobile device place in real time to user notification and preferably present data.
By wireless router 200 (being sometimes called " relaying ") is provided, for host computer system 250 and wireless network 8 " there are a plurality of main advantages.Host computer system 250 can be moved host services conventionally, and host services is considered to be in any computer program moving in one or more computer systems.Can think that host services moves in host computer system 250, and host computer system 250 can be supported the host services of any amount.Host services may or may not known the positive transmission of information to the such fact of mobile device 10.For example, Email or messaging program may receive and process Email, for example, and the program being associated (, Email wireless mobile agency) is also just in the E-mail address of supervisory user and by identical e-mail forward or be pushed to wireless device 10.Similar with CRM software, host services can also be modified to and be ready to and via wireless router 200 and mobile device 10 exchange messages.In the 3rd example, may there is the public access to a series of host services.For example, mobility agent can provide with the WAP (wireless access protocol) (WAP) of a plurality of databases and be connected.
In data messaging environment, wireless router 200 can abstract mobile device 10 and wireless network 8 "; the server system based on web to standard provides Push Service, and allows the host services in host computer system 250 to arrive mobile devices 10 in a lot of countries.
When setting up communication link with wireless router 200, host computer system 250 shown in this article has a lot of methods.For the technical staff of data communication field, host computer system 250 can use such as TCP/IP, X.25, frame relay, ISDN, ATM or much the connection protocol of other agreements etc. set up point-to-point connection.On this connects, there are a plurality of tunnel approach that can be used for encapsulation and send data, some in these methods comprise: HTTP/HTML, HTTP/XML, HTTP/ are proprietary, FTP, SMTP or a certain other proprietary data exchange agreements.Such host computer system 250 that can adopt wireless router 200 to carry out propelling movement can comprise: Site Service application, E-mail service, IM service, stock quote service, bank service, stock exchange service, field sales application, advertisement information etc.Can carry out this wireless network 8 by wireless router 200 " abstract, wherein, wireless router 200 is carried out this route and push function.Such user-selected number that main frame is exchanging can comprise according to item: email message, instant message, calendar event, notice of meeting, address entry, journal entries, individual reminds, quarter-bell, alarm, stock quotation, news summary, bank account transaction, Site Service upgrades, stock exchange, heart monitor message, automatic vending machine inventory level, meter reading data, gps data etc., but alternatively, can comprise and send to host computer system 250 or host computer system 250 by the message of the other types using intelligent agent and obtain, for example, the data that receive after host computer system 250 is initiated the search of database or website or announcement board.
Wireless router 200 can provide a series of services, so that the host services creating based on pushing becomes possibility.These networks can comprise: the existing and third generation on the horizon (3G) in (1) code division multiple access (CDMA) network, (2) mobile ad-hoc group or global system for mobile communications (GSM) and General Packet Radio Service (GPRS) and (3) and the 4th generation (4G) network, for example, strengthen data rate GSM evolution (EDGE), Universal Mobile Telecommunications System (UMTS) and high-speed downlink packet access (HSDPA), Long Term Evolution (LTE), Wi-Max etc.Some of data-centered network examples is early including, but not limited to (1) Mobitex radio net (" Mobitex ") and (2) DataTAC radio net (" DataTAC ").
In order effectively to provide Push Service to host computer system 250, wireless router 200 can be realized the set of the function of definition.Can recognize, technical staff can select a lot of different hardware configuration of wireless router 200, yet a lot of features in identical or similar characteristics set may be present in different configurations.
Referring now to Figure 13, figure 13 illustrates the block diagram of example of the configuration of mobile device 10.Mobile device 10 comprises a plurality of assemblies, for example, controls the primary processor 20 of the overall operation of mobile device 10.By communication subsystem 24, carry out the communication function that comprises data communication and voice communication.Communication subsystem 24 is from wireless network 8 " receipt message and to wireless network 8 " send message.In this example of mobile device 10, communication subsystem 24 configures according to global system for mobile communications (GSM) and General Packet Radio Service (GPRS) standard.GSM/GPRS wireless network is used in the whole world, and expects that these standards are replaced by 3G and 4G network such as EDGE, UMTS and HSDPA, LTE, Wi-Max etc. the most at last.Still in the new standard of definition, but think that these standards are by the similitude having with network performance described herein, and those skilled in the art it will also be understood that, expect that example described herein used any other applicable standard of exploitation in the future.By communication subsystem 24 and wireless network 8 " wireless link that connects represents according to one or more different radio frequency (RF) channel of the defined protocol operation for GSM/GPRS communication procedure.Use the procotol of upgrading, these channels can support circuit-switched voice communication and packet switched data communication.
Primary processor 20 also carries out with the extra subsystem such as random access memory (RAM) 306, flash memories 308, display 28, auxiliary I/O (I/O) subsystem 32, FPDP 314, keyboard 316, loud speaker 318, microphone 320, GPS receiver 321, short-range communication module 26 and other subsystems 324 etc. alternately.
In Figure 13, also show crypto module 18 and memory 22, memory 22 is stored public keys A and has for storing the home of private cipher key a.
Some subsystems in the subsystem of mobile device 10 are carried out the function relevant with communication, and other subsystems can provide the function on " resident " or equipment.Illustrate, display 28 and keyboard 316 can for the relevant function of communicating by letter, for example, input of text messages is to transmit by wireless network, and device-resident functions, for example, calculator or task list.
Mobile device 10 can pass through wireless network 8 after completing required network registry or activation " sending and receiving signal of communication.Network insertion is associated with subscriber or the user of mobile device 10.In order to identify subscriber, mobile device 10 can be used subscriber's module.The example of these subscriber's modules comprises: for the subscriber identity module (SIM) of GSM network development, for the detachable Subscriber Identity Module (RUIM) of cdma network exploitation and for the general subscriber identification module (USIM) of the 3G network exploitation such as UMTS etc.In the example shown, SIM/RUIM/USIM326 will be inserted in SIM/RUIM/USIM interface 328 to communicate with network.SIM/RUIM/USIM assembly 326 is tradition " smart card " of one type, and being somebody's turn to do " smart card " especially can be for subscriber and the personalized mobile device 10 of sign mobile device 10.In the situation that there is no assembly 326, mobile device 10 may not complete operation for and wireless network 8 " communicate.By SIM/RUIM/USIM326 being inserted in SIM/RUIM/USIM interface 328, subscriber can access all predetermined services.Service can comprise: web-browsing and information receiving and transmitting, for example, Email, voice mail, SMS and MMS.More senior service can comprise: point of sale, Site Service and sales force automation.SIM/RUIM/USIM326 comprises processor and for the memory of the information of storing.Once SIM/RUIM/USIM326 is inserted in SIM/RUIM/USIM interface 328, SIM/RUIM/USIM326 is just coupled to primary processor 20.In order to identify subscriber, SIM/RUIM/USIM326 can comprise some customer parameters, for example, and international mobile subscriber sign (IMSI).Use the advantage of SIM/RUIM/USIM326 to be, subscriber needn't be bound by any single one physical mobile device.SIM/RUIM/USIM326 also can storing mobile equipment extra subscriber information, comprising: notepad (or calendar) information and nearest call information.Alternatively, user totem information can also be programmed in flash memories 308.
The normally battery powered equipment of mobile device 10, and comprise for holding the battery interface 332 of one or more batteries 330 (conventionally rechargeable).In at least some examples, battery 330 can be the intelligent battery with the microprocessor of embedding.Battery interface 332 is coupled to adjuster (not shown), and adjuster boosting battery 330 provides power supply V+ to mobile device 10.Although current technology is utilized battery, such as the technology in future of micro fuel cell etc., can provide power supply to mobile device 10.
Mobile device 10 also comprises below operating system 334 and component software 336 to 346 in greater detail.The operating system 334 of being carried out by primary processor 20 and component software 336 to 346 are stored in permanence storage equipment conventionally, this permanence storage equipment is for example flash memories 308, alternatively, can be read-only memory (ROM) or similar memory element (not shown).Those skilled in the art will recognize that, the various piece of operating system 334, such as component software 336 to 346 or its part of special equipment application etc., can be loaded into volatile storage devices (for example,, RAM306) temporarily.Can also comprise other component softwares.
Conventionally the subset of the software application 336 of controlling basic device operations is installed during the manufacture of mobile device 10 on mobile device 10, comprise data and voice communications applications.Other software application comprise messages application 338, and messages application 338 can be any suitable software program that allows user's sending and receiving electronic information of mobile device 10.It is known to those skilled in the art that for messages application 338 and have multiple alternate ways.The message that has been sent or received by user is stored in the flash memories 308 or a certain other the suitable memory elements in mobile device 10 of mobile device 10 conventionally.In at least some examples, can from mobile device 10, some message of sending and receiving be stored in the data storage device of the host computer system being associated for example communicating with mobile device 10 at far-end.
Software application can also comprise device state module 340, personal information manager (PIM) 342 and other suitable module (not shown).Device state module 340 provides persistence, that is, device state module 340 guarantees that important device data is stored in the non-volatile storage such as flash memories 308 grades, make when mobile device 10 be closed or during power-off data can not lose.
PIM342 comprises the function for the interested data item of organization and management user, and data item is such as but not limited to Email, contact person, calendar event, voice mail, appointment and task items.PIM application has via wireless network 8 " ability that transmits and receive data.Via wireless network 8 " by the storage of pim data item and mainframe computer system and/or with the corresponding data item seamless integration of the associated mobile device subscribers of mainframe computer system, synchronous and upgrade.For these, this function creates the master computer of mirror image on mobile device 10.This may be particularly useful when mainframe computer system is the office computer systems of mobile device subscribers.
Mobile device 10 can also comprise link block 344 and IT policy module 346.Link block 344 is carried out mobile device 10 need to be with the communication protocol for example, communicating with radio infrastructure and the authorized any host computer system (, business system) engaging of mobile device 10.
Link block 344 comprises API set, and this API set can integrate to allow mobile device 10 to use the service of any amount being associated with business system with mobile device 10.Link block 344 allows mobile device 10 and host computer system (not shown) to set up the communication port of safety, authentication end to end.Link block 344 provides can be for being delivered to mobile device 10 by the order of IT strategy from host computer system to the subset of the application of its access.Can complete this point in wireless or wired mode.Then, these instructions can be delivered to IT policy module 346 with the configuration of modification equipment 10.Alternatively, in some cases, also can complete IT policy update by wired connection.
IT policy module 346 receives the IT policy data that IT strategy is encoded.Then, 10 authentications of IT policy data mobile device are guaranteed in IT policy module 346.Then, IT policy data can be stored in flash memories 306 with its intrinsic form.After storage IT policy data, can overall situation notice be sent to all application that reside on mobile device 10 by IT policy module 346.Then, the application that IT strategy can be applied to responds to search applicable IT policing rule by reading IT policy data.
The software application of other types or assembly 339 can also be arranged on mobile device 10.These software application 339 can be third party's application of preassembled application (that is, being different from messages application 26 ') or interpolation after manufacturing mobile device 10.The example of third party's application comprises game, calculator, instrument etc.
Can be by wireless network 8 ", at least one in auxiliary I/O subsystem 32, FPDP 314, short-range communication subsystem 322 or any other suitable equipment subsystem 324 be loaded into extra application 339 on mobile device 10.This flexibility that application is installed has increased the function of mobile device 10, and can provide function on the equipment of enhancing, with communicate by letter relevant function or these two.For example, secure communication applications can make it possible to carry out e-business capability and other this type of financial transaction with mobile device 10.
FPDP 314 makes subscriber preference is set by external equipment or software application, and by providing information or software to download to expand the ability of mobile device 10 to be different from the mode of cordless communication network to mobile device 10.Thereby alternative download path can, for example for by direct and reliable and believable connection, encryption key being loaded into mobile device 10, provide safe devices communicating.
FPDP 314 can be to realize any suitable port of the data communication between mobile device 10 and another computing equipment.FPDP 314 can be serial port or parallel port.In some instances, FPDP 314 can be the USB port comprising for data wire with the power line that can provide charging current to charge with the battery 330 to mobile device 10 of transfer of data.
Short-range communication module 26 is not being used wireless network 8 " in the situation that communicating by letter between mobile device 10 and different system or equipment be provided.For example, subsystem 26 can comprise for the infrored equipment of short haul connection and circuit and the assembly being associated.The example of short-range communication standard comprises by standard, the bluetooth of Infrared Data Association (IrDA) exploitation and develops 802.11 standard families by IEEE.
In use, such as the reception signal of text message, email message or page download etc., can process and be imported into primary processor 20 by communication subsystem 24.Then, primary processor 20 can be processed and receive signal to output to display 28 or alternatively, outputs to auxiliary I/O subsystem 32.Subscriber can also be such as using keyboard 316 to write the data item such as email message etc. in conjunction with display 28 and possible auxiliary I/O subsystem 32.Auxiliary I/O subsystem 32 can comprise the equipment such as the following: touch-screen, mouse, tracking ball, infrared ray fingerprint detector or have the roller that Dynamic Button is pressed ability.Keyboard 316 is keypads of alphanumeric keyboard and/or telephong type.Yet, also can use the keyboard of other types, for example, as image, be presented on virtual or " soft " keyboard on touch-screen.The item of writing can be by communication subsystem 24 at communication network 8 " on transmit.
For voice communication, the overall operation of the mobile device 10 in this example is substantially similar, and difference is to receive signal and will outputs to loud speaker 318, and is produced by microphone 320 for the signal of launching.Can also on mobile device 10, realize alternative voice or audio frequency I/O subsystem, for example, speech message recording subsystem.Although the output of voice or audio signal mainly completes by loud speaker 318, can also provide with display 28 extraneous information of duration of identity such as calling party, audio call or other information relevant to audio call etc.
To recognize, any module of illustrational execution instruction herein or assembly can comprise or otherwise can access computer computer-readable recording medium, computer-readable medium is for example storage medium, computer-readable storage medium or data storage device (dismountable or non-removable), as disk, CD or tape.Computer-readable storage medium can comprise that described information is for example computer-readable instruction, data structure, program module or other data for volatibility or non-volatile, the dismountable and non-removable medium of any method of storage information or technology realization.The example of computer-readable storage medium comprises RAM, ROM, EEPROM, flash memories or other memory technologies, CD-ROM, digital versatile disc (DVD) or other light storage devices, cassette, tape, disk storage device or other magnetic storage apparatus, or the information that can hope for storage period and can be employed, any other medium of module or these two access.The part that any this computer-readable storage medium can be mobile device 10, any assembly of private network 2 or any assembly relevant to private network 2 etc., or addressable or attachable any assembly.Any application described herein or module can be with being realized by this computer-readable medium stores or the computer readable/executable instructions of otherwise preserving.
To recognize, the example of using herein and corresponding schematic diagram be the object for illustrating only.Can use different configurations and term in the situation that do not depart from the principle of expressing herein.For example, can in the situation that not departing from these principles, add, delete, revise or use different connection arrangement and module.
Therefore, provide a kind of method that operates mobile device, described method comprises: from certificate server, receive and address inquires to, described inquiry is to produce according to the request of accessing private network; Obtain privately owned value; With described privately owned value, described inquiry and private cipher key, produce the response to described inquiry; And send described response to described certificate server.
A kind of computer-readable medium and a kind of mobile device can also be provided, be configured to carry out said method.
A kind of method of authenticating operation server is also provided, and described method comprises: produce and address inquires to; To mobile device, send described inquiry; From described mobile device, receive response, described response is used privately owned value, described inquiry and private cipher key to produce by described mobile device; Verify described response; And confirm the checking to described response to Virtual Private Network gateway, to permit computing equipment accessing private network.
A kind of computer-readable medium and a kind of mobile device can also be provided, be configured to carry out said method.
Step in flow chart described herein and schematic diagram or operation are only for the object of example.In the situation that not departing from spirit of the present invention, these steps or operation can also have a lot of distortion.For example, can be with different order execution step, or can add, deletion or modify steps.
Although described principle above with reference to some specific example, those skilled in the art will know a plurality of modifications of these principles of summarizing in claims.

Claims (14)

1. operate a method for mobile device, described method comprises:
From certificate server, receive and address inquires to, described inquiry is to produce according to the request of accessing private network;
Obtain privately owned value;
With described privately owned value, described inquiry and private cipher key, produce the response to described inquiry; And
To described certificate server, send described response.
2. method according to claim 1, wherein, described privately owned value is personal identification number.
3. method according to claim 1, wherein, described inquiry is directly from described certificate server, to receive, and described response directly sends to described certificate server by public network.
4. method according to claim 1, wherein, described inquiry receives from described certificate server via Virtual Private Network gateway, and described response sends to described certificate server via described Virtual Private Network gateway.
5. method according to claim 1, wherein, described response comprises the signature that uses described inquiry, described private cipher key and described personal identification number to produce.
6. a computer-readable recording medium, comprises that, for operating the computer executable instructions of mobile device, described computer executable instructions comprises for carrying out according to the instruction of the method described in claim 1 to 5 any one.
7. a mobile device, comprises processor, memory and display, and described memory comprises for described processor is carried out according to the computer executable instructions of the method described in claim 1 to 5 any one.
8. a method for authenticating operation server, described method comprises:
Produce and address inquires to;
To mobile device, send described inquiry;
From described mobile device, receive response, described response is used privately owned value, described inquiry and private cipher key to produce by described mobile device;
Verify described response; And
To Virtual Private Network gateway, confirm the checking to described response, to permit computing equipment accessing private network.
9. method according to claim 8, wherein, described privately owned value is personal identification number.
10. method according to claim 8, wherein, described inquiry is directly to send to described mobile device, and described response directly receives from described mobile device by public network.
11. methods according to claim 8, wherein, described inquiry sends to described mobile device via described Virtual Private Network gateway, and described response receives from described mobile device via described Virtual Private Network gateway.
12. methods according to claim 8, wherein, described response comprises the signature that uses described inquiry, described private cipher key and described personal identification number to produce.
13. 1 kinds of computer-readable recording mediums, comprise for operating the computer executable instructions of mobile device, and described computer executable instructions comprises for carrying out the instruction of the method described according to Claim 8 to 12 any one.
14. 1 kinds of server apparatus, comprise processor and memory, and described memory comprises for making described processor carry out the computer executable instructions of the method described according to Claim 8 to 12 any one.
CN201280027329.6A 2011-06-03 2012-06-01 System and method for accessing private networks Pending CN103583060A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201161493272P 2011-06-03 2011-06-03
US61/493,272 2011-06-03
PCT/CA2012/050373 WO2012162843A1 (en) 2011-06-03 2012-06-01 System and method for accessing private networks

Publications (1)

Publication Number Publication Date
CN103583060A true CN103583060A (en) 2014-02-12

Family

ID=47258251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201280027329.6A Pending CN103583060A (en) 2011-06-03 2012-06-01 System and method for accessing private networks

Country Status (5)

Country Link
US (1) US9118667B2 (en)
EP (1) EP2716094A4 (en)
CN (1) CN103583060A (en)
CA (1) CA2836194C (en)
WO (1) WO2012162843A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106464498A (en) * 2014-06-06 2017-02-22 欧贝特科技 Method for authenticating a first electronic entity by a second electronic entity and electronic entity implementing the method
CN108028829A (en) * 2015-07-02 2018-05-11 瑞典爱立信有限公司 For obtaining the method being initially accessed and relevant wireless device and network node to network
CN108259467A (en) * 2017-12-13 2018-07-06 晖保智能科技(上海)有限公司 A kind of encryption and authentication method of block chain communication system
CN108632041A (en) * 2017-03-21 2018-10-09 汤姆逊许可公司 Device and method for forwarding connection
CN112913204A (en) * 2018-09-14 2021-06-04 品谱股份有限公司 Authentication of IoT devices including electronic locks

Families Citing this family (68)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8224894B1 (en) 2011-05-09 2012-07-17 Google Inc. Zero-click sharing of application context across devices
US8171137B1 (en) 2011-05-09 2012-05-01 Google Inc. Transferring application state across devices
US9830594B2 (en) 2011-05-17 2017-11-28 Ping Identity Corporation System and method for performing a secure transaction
US8346672B1 (en) 2012-04-10 2013-01-01 Accells Technologies (2009), Ltd. System and method for secure transaction process via mobile device
US10277630B2 (en) * 2011-06-03 2019-04-30 The Boeing Company MobileNet
US8943561B2 (en) * 2011-08-17 2015-01-27 Textpower, Inc. Text message authentication system
JP2014529964A (en) 2011-08-31 2014-11-13 ピング アイデンティティ コーポレーション System and method for secure transaction processing via a mobile device
US8819428B2 (en) * 2011-10-21 2014-08-26 Ebay Inc. Point of sale (POS) personal identification number (PIN) security
US9692732B2 (en) 2011-11-29 2017-06-27 Amazon Technologies, Inc. Network connection automation
US9059853B1 (en) * 2012-02-22 2015-06-16 Rockwell Collins, Inc. System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment
US9184800B2 (en) 2012-07-16 2015-11-10 Google Inc. Automated sharing of application data over a near field communication link
US9071928B2 (en) * 2012-09-11 2015-06-30 Cellco Partnership Trusted mode location service for mobile device access to private network based applications
US20140208406A1 (en) * 2013-01-23 2014-07-24 N-Dimension Solutions Inc. Two-factor authentication
EP2973285A4 (en) * 2013-03-12 2016-03-30 Intertrust Tech Corp SYSTEMS AND METHODS FOR SECURE TRANSACTIONS
US9125180B1 (en) * 2013-03-15 2015-09-01 Google Inc. Techniques for automatically establishing a long-lasting connection across computing devices configured for short-range wireless communication
US10706132B2 (en) 2013-03-22 2020-07-07 Nok Nok Labs, Inc. System and method for adaptive user authentication
US9887983B2 (en) 2013-10-29 2018-02-06 Nok Nok Labs, Inc. Apparatus and method for implementing composite authenticators
US10270748B2 (en) 2013-03-22 2019-04-23 Nok Nok Labs, Inc. Advanced authentication techniques and applications
US9961077B2 (en) 2013-05-30 2018-05-01 Nok Nok Labs, Inc. System and method for biometric authentication with device attestation
US9225714B2 (en) 2013-06-04 2015-12-29 Gxm Consulting Llc Spatial and temporal verification of users and/or user devices
US10439988B2 (en) 2013-08-21 2019-10-08 Vmware, Inc. On premises, remotely managed, host computers for virtual desktops
CN103475473B (en) * 2013-08-26 2016-10-05 数安时代科技股份有限公司 Crypto-operation method and server in digital signature method and equipment, digital signature
WO2015078376A1 (en) * 2013-11-26 2015-06-04 Powa Technologies (Hong Kong) Ltd. Method and system for secure email
JP6201835B2 (en) * 2014-03-14 2017-09-27 ソニー株式会社 Information processing apparatus, information processing method, and computer program
US9264900B2 (en) * 2014-03-18 2016-02-16 Huawei Technologies Co., Ltd. Fast authentication for inter-domain handovers
JP2015192377A (en) * 2014-03-28 2015-11-02 富士通株式会社 Key transmission method, key transmission system, and key transmission program
US20150294313A1 (en) * 2014-04-14 2015-10-15 Mastercard International Incorporated Systems, apparatus and methods for improved authentication
US9654469B1 (en) 2014-05-02 2017-05-16 Nok Nok Labs, Inc. Web-based user authentication techniques and applications
US9413533B1 (en) 2014-05-02 2016-08-09 Nok Nok Labs, Inc. System and method for authorizing a new authenticator
US9577999B1 (en) 2014-05-02 2017-02-21 Nok Nok Labs, Inc. Enhanced security for registration of authentication devices
US9537868B2 (en) * 2014-07-29 2017-01-03 Time Warner Cable Enterprises Llc Communication management and policy-based data routing
US10148630B2 (en) 2014-07-31 2018-12-04 Nok Nok Labs, Inc. System and method for implementing a hosted authentication service
US9749131B2 (en) 2014-07-31 2017-08-29 Nok Nok Labs, Inc. System and method for implementing a one-time-password using asymmetric cryptography
US9455979B2 (en) 2014-07-31 2016-09-27 Nok Nok Labs, Inc. System and method for establishing trust using secure transmission protocols
US9875347B2 (en) 2014-07-31 2018-01-23 Nok Nok Labs, Inc. System and method for performing authentication using data analytics
US9736154B2 (en) 2014-09-16 2017-08-15 Nok Nok Labs, Inc. System and method for integrating an authentication service within a network architecture
US9998287B2 (en) * 2015-03-06 2018-06-12 Comcast Cable Communications, Llc Secure authentication of remote equipment
SG11201708295XA (en) * 2015-04-06 2017-11-29 Bitmark Inc System and method for decentralized title recordation and authentication
US9781105B2 (en) * 2015-05-04 2017-10-03 Ping Identity Corporation Fallback identity authentication techniques
CN105049481B (en) * 2015-06-01 2018-06-12 江苏云道信息技术有限公司 A kind of method for supporting multi-heterogeneous system intelligent interaction
EP4016920A1 (en) 2015-06-30 2022-06-22 Visa International Service Association Confidential authentication and provisioning
GB2541162A (en) * 2015-07-13 2017-02-15 Vodafone Ip Licensing Ltd Machine to machine virtual private network
EP3375131B1 (en) 2015-11-13 2019-09-04 Telefonaktiebolaget LM Ericsson (publ.) Verification of service access in a communications system
US10148759B2 (en) * 2016-04-04 2018-12-04 Gogo Llc Presence-based network authentication
US10142323B2 (en) * 2016-04-11 2018-11-27 Huawei Technologies Co., Ltd. Activation of mobile devices in enterprise mobile management
WO2017223190A1 (en) * 2016-06-21 2017-12-28 Noa, Inc. Method and apparatus of implementing a vpn tunnel
CN107113319B (en) * 2016-07-14 2020-09-25 华为技术有限公司 A method, device, system and proxy server for response in virtual network computing authentication
US10637853B2 (en) 2016-08-05 2020-04-28 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
US10769635B2 (en) 2016-08-05 2020-09-08 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
US10237070B2 (en) 2016-12-31 2019-03-19 Nok Nok Labs, Inc. System and method for sharing keys across authenticators
US10091195B2 (en) 2016-12-31 2018-10-02 Nok Nok Labs, Inc. System and method for bootstrapping a user binding
US9992029B1 (en) * 2017-04-05 2018-06-05 Stripe, Inc. Systems and methods for providing authentication to a plurality of devices
US11601807B2 (en) * 2017-05-30 2023-03-07 Belgian Mobile Id Sa/Nv Mobile device authentication using different channels
CN107483419B (en) * 2017-07-28 2020-06-09 深圳市优克联新技术有限公司 Method, device and system for authenticating access terminal by server, server and computer readable storage medium
FR3070516B1 (en) * 2017-08-22 2019-09-13 Evidian METHOD FOR AUTHENTICATING A USER FROM AN AUTHENTICATION SERVER
WO2019074568A1 (en) * 2017-10-13 2019-04-18 Visa International Service Association Mitigating risk for hands-free interactions
US11868995B2 (en) 2017-11-27 2024-01-09 Nok Nok Labs, Inc. Extending a secure key storage for transaction confirmation and cryptocurrency
US11831409B2 (en) 2018-01-12 2023-11-28 Nok Nok Labs, Inc. System and method for binding verifiable claims
US11032326B2 (en) * 2018-06-19 2021-06-08 Verizon Patent And Licensing Inc. Systems and methods for accessing a private network
US10728230B2 (en) * 2018-07-05 2020-07-28 Dell Products L.P. Proximity-based authorization for encryption and decryption services
WO2020036401A1 (en) * 2018-08-13 2020-02-20 삼성전자 주식회사 Apparatus and method for registration on network in wireless communication system
TWI706281B (en) * 2019-02-19 2020-10-01 華東科技股份有限公司 Device verification method
US12041039B2 (en) 2019-02-28 2024-07-16 Nok Nok Labs, Inc. System and method for endorsing a new authenticator
US11792024B2 (en) 2019-03-29 2023-10-17 Nok Nok Labs, Inc. System and method for efficient challenge-response authentication
CN115039101A (en) * 2020-02-28 2022-09-09 那比伦公司 Multi-factor authentication of cloud-managed services
US11392684B2 (en) * 2020-07-09 2022-07-19 Bank Of America Corporation Authentication of user activities based on establishing communication links between network devices
US11165748B1 (en) * 2020-10-13 2021-11-02 Cisco Technology, Inc. Network security from host and network impersonation
US12126613B2 (en) 2021-09-17 2024-10-22 Nok Nok Labs, Inc. System and method for pre-registration of FIDO authenticators

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
CN1700638A (en) * 2004-05-18 2005-11-23 江苏省电力公司 Secure access method of enterprise network by means of secure authentication gateway
US20090158048A1 (en) * 2007-12-14 2009-06-18 Electronics And Telecommunications Research Institute Method, client and system for reversed access to management server using one-time password

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
US6065120A (en) 1997-12-09 2000-05-16 Phone.Com, Inc. Method and system for self-provisioning a rendezvous to ensure secure access to information in a database from multiple devices
US6983381B2 (en) * 2001-01-17 2006-01-03 Arcot Systems, Inc. Methods for pre-authentication of users using one-time passwords
US7373515B2 (en) 2001-10-09 2008-05-13 Wireless Key Identification Systems, Inc. Multi-factor authentication system
US6880079B2 (en) * 2002-04-25 2005-04-12 Vasco Data Security, Inc. Methods and systems for secure transmission of information using a mobile device
US7448080B2 (en) 2003-06-30 2008-11-04 Nokia, Inc. Method for implementing secure corporate communication
US7444508B2 (en) 2003-06-30 2008-10-28 Nokia Corporation Method of implementing secure access
US20070186099A1 (en) * 2004-03-04 2007-08-09 Sweet Spot Solutions, Inc. Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method
EP1806934A1 (en) 2006-01-05 2007-07-11 Research In Motion Limited Methods and apparatus for increasing security and control of voice communication sessions using digital certificates
AT504581B1 (en) 2006-12-01 2009-03-15 Efkon Mobility Gmbh METHOD AND SYSTEM FOR READING DATA FROM A MEMORY OF A REMOTE DEVICE THROUGH A SERVER
US9166799B2 (en) 2007-12-31 2015-10-20 Airvana Lp IMS security for femtocells
SG166028A1 (en) * 2009-05-04 2010-11-29 Privylink Private Ltd Methods of robust multi-factor authentication and authorization and systems thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
CN1700638A (en) * 2004-05-18 2005-11-23 江苏省电力公司 Secure access method of enterprise network by means of secure authentication gateway
US20090158048A1 (en) * 2007-12-14 2009-06-18 Electronics And Telecommunications Research Institute Method, client and system for reversed access to management server using one-time password

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106464498A (en) * 2014-06-06 2017-02-22 欧贝特科技 Method for authenticating a first electronic entity by a second electronic entity and electronic entity implementing the method
CN106464498B (en) * 2014-06-06 2020-02-21 欧贝特科技 Method for authenticating a first electronic entity by a second electronic entity and electronic entity
CN108028829A (en) * 2015-07-02 2018-05-11 瑞典爱立信有限公司 For obtaining the method being initially accessed and relevant wireless device and network node to network
US11290879B2 (en) 2015-07-02 2022-03-29 Telefonaktiebolaget Lm Ericsson (Publ) Method for obtaining initial access to a network, and related wireless devices and network nodes
CN108632041A (en) * 2017-03-21 2018-10-09 汤姆逊许可公司 Device and method for forwarding connection
CN108259467A (en) * 2017-12-13 2018-07-06 晖保智能科技(上海)有限公司 A kind of encryption and authentication method of block chain communication system
CN112913204A (en) * 2018-09-14 2021-06-04 品谱股份有限公司 Authentication of IoT devices including electronic locks

Also Published As

Publication number Publication date
EP2716094A4 (en) 2014-12-03
CA2836194A1 (en) 2012-12-06
US20130046976A1 (en) 2013-02-21
CA2836194C (en) 2017-07-18
US9118667B2 (en) 2015-08-25
EP2716094A1 (en) 2014-04-09
WO2012162843A1 (en) 2012-12-06

Similar Documents

Publication Publication Date Title
CN103583060A (en) System and method for accessing private networks
US11910194B2 (en) Secondary device authentication proxied from authenticated primary device
US9729537B2 (en) System and method for identity management for mobile devices
US8904179B2 (en) System and method for exchanging key generation parameters for secure communications
US7809953B2 (en) System and method of secure authentication information distribution
US9154955B1 (en) Authenticated delivery of premium communication services to trusted devices over an untrusted network
CN101400060B (en) A method and devices for providing secure data backup from a mobile communication device to an external computing device
US9344896B2 (en) Method and system for delivering a command to a mobile device
KR20060135630A (en) User Authentication Method and Device of Data Processing System
US8689299B2 (en) System and method for accessing a software application
KR20160037213A (en) Processing electronic tokens
CN102056077B (en) Method and device for applying smart card by key
CN101309143A (en) Method and system for interactive sharing data between mobile terminals
KR20140095148A (en) Method for processing financial transactions based on social network service and terminal
CN101098234B (en) Method and system for sending secure messages
US12093943B2 (en) Methods, module and blockchain for distributed public keystore
Chowdhury et al. Distributed identity for secure service interaction
Emmanuel et al. Mobile Banking in Developing Countries: Secure Framework for Delivery of SMS-banking Services
CA2710075C (en) System and method for exchanging key generation parameters for secure communications
EP2608098A1 (en) System and method for accessing a software application
Minar et al. A Secured Bluetooth Based Social Network
HK1082855B (en) System and method of secure authentication information distribution

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20140212

RJ01 Rejection of invention patent application after publication